Kubernetes is an open-source container-orchestration system for automating application deployment, scaling, and management. It was originally designed by Google and is now maintained by the Cloud Native Computing Foundation
Questions tagged [kubernetes]
37 questions
6
votes
1 answer
What are the security implications of capabilities in Kubernetes pods?
We have a Kubernetes deployment with an application that need to be on a VPN. We implement this requirement by running openvpn-client in a sidecar container within the pod with elevated capabilities:
securityContext:
capabilities:
add:
-…
Cera
- 111
- 4
3
votes
1 answer
Is it possible to run commands that exist only on the host on a docker container?
We would like to harden our Docker Image and remove redundant software from it. Our Devs and Ops asked to keep some Linux tools used for debugging on the containers running on our Kubernetes Prod environment.
I’ve read this…
whiteberryapps
- 135
- 3
3
votes
1 answer
What are the best practices for anti-virus / anti-malware when using containers?
One of the SOC 2 controls is apparently around ensuring antivirus/anti-spam/anti-malware is running on production servers. I've been googling to see if there are any recommendation/best practices for this in the container world. I'm not sure if it's…
Roly
- 133
- 1
- 5
2
votes
1 answer
How does Kubernetes Pod Security Standard (PSS) differ from Pod Security Policies (PSP) from design?
Why are we replacing PSP with PSS? What are the motivations and changes in fundamental design?
Both PSS and PSP's objective is to only permit Pods that fulfill a set of secure criteria and conditions before they can be deployed. Examples would be…
transcend3nt
- 39
- 4
2
votes
0 answers
Where should rate limit be applied?
I would like to hear the best recommendations about where to apply rate limit on APIs. We use k8s (microservices) with an ingress controller that is behind an API gateway, that is behind a firewall.
The ingress controller and API gateway are on…
Felipe Emerim
- 131
- 1
2
votes
1 answer
Kubernetes bootstrap token with no expiration
I would like to know the security implications of using a bootstrap token that never expires. The reason why I'm considering doing that is that I'm using terraform and my control-plane is in a autoscaling-group, so the credentials required to join a…
MyUsername112358
- 123
- 4
2
votes
1 answer
Container Vulnerability Management
Having difficulty understanding how to translate 'traditional' vulnerability management to a cloud environment. Previously accustomed to using tools like OpenVAS and Nessus, setting up scans which target static IPs and CIDR blocks. This approach…
Scot Matson
- 123
- 6
2
votes
1 answer
Is it a security issue to give the default service account in a namespace an imagePullSecret in Kubernetes?
I'm creating a Kubernetes deployment that needs to pull an image from a private registry.
The private registry requires credentials to authenticate to be able to pull an image, so I've added an imagePullSecret to the default service account in my…
57KOzn51JnV
- 21
- 1
2
votes
1 answer
EKS managed worker nodes security patching
Do AWS EKS managed nodes receive security patching automatically or is it the owner's responsibility to patch?
vkoukou
- 23
- 3
2
votes
0 answers
Is it safe to run a Kubernetes container as a root user?
I run my Spring Boot (Java) application in the Kubernetes environment as a root user and with JMX authentication turned on.
My k8s containers are being flagged as a security risk by the security professionals in my company. Is it really a security…
Indra Basak
- 121
- 3
2
votes
1 answer
In AWS EKS, how should Kubernetes certificates be generated?
This article from 2018 states (emphasis mine):
It is common practices for Kubernetes clusters to self-signed their digital certificates. I often get from Security Practictioners the hairy eyeball when this fact is discussed. Why not use “real”…
Prime
- 472
- 6
- 14
2
votes
2 answers
Is IP whitelisting safe enough for a HTTP Basic protected service available on the internet?
We are discussing about making available through the internet one of our microservices deployed on a public cloud on Kubernetes. This ms offers some sensitive information to the clients.
This microservices will be protected by HTTP Basic security…
codependent
- 187
- 9
1
vote
1 answer
How to trust the Kubernetes ingress controller?
In Kubernetes, I use an nginx ingress controller to do TLS termination and load balancing.
When mutual TLS is used, the ingress controller can be configured to forward the client certificate as an http field, but this information is obviously not…
Lemon Sky
- 153
- 4
1
vote
2 answers
Can an API endpoint hosted running on K8S be breached to compromise the entire cluster? Were there ever such attacks?
Can an API endpoint or a Web Application hosted on K8S exposed been breached to compromise the entire K8S cluster? Were there ever such attacks?
i.e., attacker compromises the spring boot based API with some /PUT, /POST calls which then compromises…
Nathan Aw
- 1
- 7
- 12
1
vote
2 answers
Kubenetes pod passwd
I have a simple Angular application and I deployed it on an Nginx server in a POD on a Kubernetes environment. I realised that I am now able to access the /etc/passwd file on the POD, without even having to login into the POD. Since this is the…
Prasanna K Rao
- 113
- 4